Hi Mariano, If you want to use unique secret for each subscription, you'll have to use unique callbacks. Knowing the callback you can figure out the secret and verify that the notification has indeed came from the hub that you've shared the secret with.
Roman. On Fri, Aug 10, 2012 at 9:30 PM, Mariano Guerra <[email protected] > wrote: > hi! > > I'm trying to make the getting started guide again with an example that is > useful for something, also I wanted to have code that handled verification > according to the spec. > > for that I'm sending the secret to the hub to verify it when the receiver > receives the notification, the thing is that it seems the hub I'm ussing ( > https://pubsubhubbub.appspot.com/) doesn't send hub.secret when notifying > subscribers. > > the spec says > > " > hub.secretOPTIONAL. A subscriber-provided secret string that will be used > to compute an HMAC digest for authorized content distribution. If not > supplied, the HMAC digest will not be present for content distribution > requests. This parameter SHOULD only be specified when the request was made > over HTTPS [RFC2818]. This parameter MUST be less than 200 bytes in > length." > > > looking at the code (mainly pubsubhubbub/hub/main.py line 2896) don't seem > to show it's being sent, also grep'ing for hub.secret doesn't bring useful > result. > > is that so? > > X-Hub-Signature is being sent but if the secret is unique for each > subscription and I can't recover it when the request is done then I can't > verify that the notification is valid > > am I missing something? >
